The present invention is generally directed to USB device redirection in a virtual desktop infrastructure (VDI) environment. USB device redirection generally refers to making a USB device that is connected to a client accessible within a virtual desktop as if the USB device had been physically connected to the virtual desktop. In other words, when USB device redirection is implemented, a user can connect a USB device to his or her client terminal and the USB device will function as if it had been connected to the server.
FIGS. 1 and 2 and the following description will provide a general overview of how USB device redirection can be implemented in accordance with some embodiments of the present invention. In FIG. 1, a computing system 100 is depicted as including a number of client terminals 102a-102n (referenced generally herein as client(s) 102) in communication with a server 104 via a network 106. Server 104 can be configured to support a remote session (e.g., a remote desktop session) wherein a user at a client 102 can remotely access applications and data at the server 104 from the client 102. Such a connection may be established using any of several well-known techniques such as the Remote Desktop Protocol (RDP) and the Citrix® Independent Computing Architecture (ICA).
Client terminal 102 may represent a computer, a mobile phone (e.g., smart phone), a laptop computer, a thin client terminal, a personal digital assistant (PDA), a portable computing terminal, or a suitable terminal or device with a processor. Server 104 may represent a computer, a laptop computer, a computing terminal, a virtual machine (e.g., VMware® Virtual Machine), a desktop session (e.g., Microsoft Terminal Server), a published application (e.g., Microsoft Terminal Server) or a suitable terminal with a processor.
Client 102 may initiate a remote session with server 104 by sending a request for remote access and credentials (e.g., login name and password) to server 104. If server 104 accepts the credentials from client 102, then server 104 may establish a remote session, which allows a user at client 102 to access applications and data at server 104. During the remote session, server 104 sends display data to client 102 over network 106, which may include display data of a desktop and/or one or more applications running on server 104. The desktop may include, for example, icons corresponding to different applications that can be launched on server 104. The display data allows client 102 to locally display the desktop and/or applications running on server 104.
During the remote session, client 102 may send user commands (e.g., inputted via a mouse or keyboard at client 102) to server 104 over network 106. Server 104 may process the user commands from client 102 similar to user commands received from an input device that is local to server 104. For example, if the user commands include mouse movements, then server 104 may move a pointer on the desktop running on server 104 accordingly. When the display data of the desktop and/or application changes in response to the user commands, server 104 sends the updated display data to client 102. Client 102 locally displays the updated display data so that the user at client 102 can view changes at server 104 in response to the user commands. Together, these aspects allow the user at client 102 to locally view and input commands to the desktop and/or application that is running remotely on server 104. From the perspective of the client side, the desktop running on server 104 may represent a virtual desktop environment.
FIG. 2 is a block diagram of a local device virtualization system 200 in accordance with embodiments of the present invention. System 200 may include client 102 in communication with server 104 over network 106 as illustrated in FIG. 1. Client 102 may include a proxy 210, a stub driver 220, and a bus driver 230. Client 102 can be connected to a device 240, as shown in FIG. 2. Server 104 may include an agent 250 and a virtual bus driver 260.
In accordance with USB device redirection techniques, while device 240 is not locally or physically connected to server 104 and is remote to server 104, device 240 appears to server 104 as if it is locally connected to server 104, as discussed further below. Thus, device 240 appears to server 104 as a virtual device 290.
By way of illustration and not limitation, device 240 may be any type of USB device including a machine-readable storage medium (e.g., flash storage device), a printer, a scanner, a camera, a facsimile machine, a phone, an audio device (e.g., a headset), a video device (e.g., a camera), a peripheral device, or other suitable device that can be connected to client 102. Device 240 may be an external device (i.e., external to client 102) or an internal device (i.e., internal to client 102).
Bus driver 230 can be configured to allow the operating system and programs of client 102 to interact with device 240. In one aspect, when device 240 is connected to client 102 (e.g., plugged into a port of client 102), bus driver 230 may detect the presence of device 240 and read information regarding device 240 (“device information”) from device 240. The device information may include features, characteristics and other information specific to device 240 such as a device descriptor (e.g., product ID, vendor ID and/or other information), a configuration descriptor, an interface descriptor, an endpoint descriptor and/or a string descriptor. Bus driver 230 may communicate with device 240 through a computer bus or other wired or wireless communications interface.
In accordance with USB device redirection techniques, device 240 may be accessed from server 104 as if the device were connected locally to server 240. Device 240 may be accessed from server 104 when client 102 is connected to server 104 through a remote session running on server 104. For example, device 240 may be accessible from the desktop running on server 104 (i.e., virtual desktop environment). To enable this, bus driver 230 may be configured to load stub driver 220 as the default driver for device 240. Stub driver 220 may be configured to report the presence of device 240 to proxy 210 and to provide the device information (e.g., device descriptor) to proxy 210. Proxy 210 may be configured to report the presence of device 240, along with the device information, to agent 250 of server 104 over network 106. Thus, stub driver 220 redirects device 240 to server 104 via proxy 210.
Agent 250 may be configured to receive the report from proxy 210 that device 240 is connected to client 102 and the device information. Agent 250 may further be configured to associate with the report from proxy 210 one or more identifiers for client 102 and/or for a remote session through which client 102 is connected to server 104, such as a session number or a session locally unique identifier (LUID). Agent 250 can provide notification of device 240, along with the device information, to virtual bus driver 260. Virtual bus driver 260 (which may be a TCX USB bus driver, or any other bus driver) may be configured to create and store in memory a record corresponding to device 240, the record including at least part of the device information and session identifiers received from agent 250. Virtual bus driver 260 may be configured to report to operating system 170 of server 104 that device 240 is connected and to provide the device information to the operating system. This allows the operating system of server 104 to recognize the presence of device 240 even though device 240 is connected to client 102.
The operating system of server 104 may use the device information to find and load one or more appropriate device drivers for device 240 at server 104. Each driver may have an associated device object (object(s) 281a, 281b, . . . , 281n, referred to generally as device object(s) 281), as illustratively shown in FIG. 2. A device object 281 is a software implementation of a real device 240 or a virtualized (or conceptual) device 290. Different device objects 281 layer over each other to provide the complete functionality. The different device objects 281 are associated with different device drivers (driver(s) 282a, 282b, . . . 282n, referred to generally as device driver(s) 282). In an example, a device 240 such as a USB flash drive may have associated device objects including objects corresponding to a USB driver, a storage driver, a volume manager driver, and a file system driver for the device. The device objects 281 corresponding to a same device 240 form a layered device stack 280 for device 240. For example, for a USB device, a USB bus driver will create a device object 281a stating that a new device has been plugged in. Next, a plug-and-play (PNP) component of the operating system will search for and load the best driver for device 240, which will create another device object 281b that is layered over the previous device object 281a. The layering of device objects 281 will create device stack 280.
Device objects 281 may be stored in a memory of the server 104 associated with virtual bus driver 260. In particular, device objects 281 and resulting device stack 280 may be stored in random-access memory of server 104. Different devices 240/290 can have device stacks having different device objects and different numbers of device objects. The device stack may be ordered, such that lower level device objects (corresponding to lower level device drivers) have lower numbers than higher level device objects (corresponding to higher level device drivers). The device stack may be traversed downwards by traversing the stack from higher level objects to lower level objects. For example, in the case of an illustrative device stack 280 corresponding to a USB flash drive, the ordered device stack may be traversed downwards from a high-level file system driver device object, to a volume manager driver device object, to a storage driver device object, to a USB driver device object, and finally to a low-level virtual bus driver device object. Different device stacks 280 can be layered over each other to provide the functionality of the devices 240/290 inside devices, like USB Headsets, or USB pen drives. A USB pen drive, for example, can create a USB device stack first, over which it can create a storage device stack, where each of the device stacks have two or more device objects.
Once one or more device object(s) 281 are loaded by operating system 170 of server 104, each device object 281 can create a symbolic link (also referred to as a “device interface”) to device object 281 and associated device driver 282. The symbolic link is used by applications running on server 104 to access device object 281 and device 240/290. The symbolic link can be created by a call to a function such as IoCreateSymbolicLink( ) including such arguments as a name for the symbolic link, and a name of device object 281 or associated device 240. In one example, for example, a symbolic link to a USB flash drive device 240 is created by a call from a device object 281 for device 240 to the function IoCreateSymbolicLink( ) including arguments “\\GLOBAL??\C:” (i.e., the name for the symbolic link) and “\Device\HarddiskVolume1” (i.e., a name of the device object).
The creation of a symbolic link results in an entry being created in an object manager namespace (OMN) of operating system 170. The OMN stores information on symbolic links created for and used by operating system 170, including symbolic links for devices 240, virtualized devices 290, and applications 270 running on server 104.
As a result of the symbolic link creation process, a symbolic link to device 240 is enumerated in the OMN of server 104. Once the presence of device 240 is reported to operating system 170 of server 104, device 240 may be accessible from a remote session (and associated desktop) running on server 104 (i.e., virtual desktop environment). For example, device 240 may appear as an icon on the virtual desktop environment and/or may be accessed by applications running on server 104.
An application 270 running on server 104 may access device 240 by sending a transaction request including the symbolic link for device 240 to operating system 170. Operating system 170 may consult the Object Manager Namespace to retrieve an address or other identifier for the device itself 240 or for a device object 281 associated with device 240. Using the retrieved address or identifier, operating system 170 forwards the transaction request for device 240 either directly, through a device object 281 of device stack 280, and/or through virtual bus driver 260. Virtual bus driver 260 may direct the transaction request to agent 250, which sends the transaction request to proxy 210 over network 106. Proxy 210 receives the transaction request from agent 250, and directs the received transaction request to stub driver 220. Stub driver 220 then directs the transaction request to device 240 through bus driver 230.
Bus driver 230 receives the result of the transaction request from device 240 and sends the result of the transaction request to stub driver 220. Stub driver 220 directs the result of the transaction request to proxy 210, which sends the result of the transaction request to agent 250 over network 106. Agent 250 directs the result of the transaction request to virtual bus driver 260. Virtual bus driver 260 then directs the result of the transaction request to application 270 either directly or through a device object 281 of device stack 280.
Thus, virtual bus driver 260 may receive transaction requests for device 240 from application 270 and send results of the transaction requests back to application 270 (either directly or through a device object 281 of device stack 280). As such, application 270 may interact with virtual bus driver 260 in the same way as with a bus driver for a device that is connected locally to server 104. Virtual bus driver 260 may hide the fact that it sends transaction requests to agent 250 and receives the results of the transaction requests from agent 250 instead of a device that is connected locally to server 104. As a result, device 240 connected to client 102 may appear to application 270 as if the physical device 240 is connected locally to server 104.
Smart card readers are a type of USB device that can be redirected in much the same manner as described above. However, due to security concerns, the Windows operating system places limits on how an application can access a smart card that has been inserted into a smart card reader. In particular, the Windows operating system does not allow an application executing within a remote session to access a smart card unless the smart card is mapped from the remote session. Using the above described redirection techniques, a redirected smart card will appear as if it was locally connected, and therefore it will not be accessible within the remote session.
FIG. 3A provides an example of how Windows applies these limits using the same general architecture of server 104 as described above. In this example, a smart card 340 is connected directly to server 104 (i.e., not over a remote session). For ease of illustration, smart card 340 can generally represent a smart card reader alone or a smart card reader and a smart card that has been inserted into the reader.
As is typical, operating system 170 will cause appropriate drivers to be loaded for smart card 340 as represented by smart card driver stack 380. An application 370 can therefore access smart card 340 via the appropriate interfaces of operating system 170. In the Windows operating system, an application can access a smart card via a cryptographic service provider (or CSP) and the WinSCard API. This CSP may be a vendor-specific CSP or a Windows-provided CSP (Basecsp.dll) which works in tandem with a vendor-provided smart card mini-driver. CSP 170a is intended to represent either of these scenarios.
Via CSP 170a and WinSCard API 170b, application 370 can invoke functionality of the Smart Card Resource Manager service (or simply “resource manager”) 170c. Resource manager 170c then interfaces with the smart card driver(s) for any smart card connected to server 104 whether physically or virtually.
Resource manager 170c is the component of the Windows operating system that is configured to block access to a smart card from any application that is running in a remote session thus making a redirected smart card inaccessible within a remote session. The exact manner in which resource manager 170c blocks access is beyond the scope of this discussion. Suffice it to say that the Windows smart card subsystem will only list mapped smart cards to applications executing within a remote session such that the smart cards, including redirected smart cards, will not be visible to such applications. For example, FIG. 3B illustrates a scenario where smart card 340 is connected to client 102 and redirected to server 104 via a remote session such that virtual smart card 390 appears on server 104. To resource manager 170c, smart card 390 will appear as a locally connected device.
In this scenario, the user may run application 370 for the purpose of accessing smart card 340. However, because application 370 is executing within a remote session, resource manager 170c will block access to smart card 340 (since it believes smart card 370 is locally connected). In short, Windows is configured to prevent a smart card from being accessed within a remote session whether or not the smart card is locally connected or redirected over a remote session.
To enable a smart card to be accessed within a remote session, driver mapping techniques have been created. FIG. 3C generally illustrates how this driver mapping can be implemented. To enable smart card access within a remote session, a driver mapping component 385 can be executed on server 104 and smart card driver stack 380 can be installed on client 102. Driver mapping component 385 can generally represent any of the possible ways in which a driver can be mapped as is known in the art. For simplicity, it can be assumed that driver mapping component 385 intercepts smart card API calls that are directed towards smart card driver stack 380 installed on server 104 and routes these API calls to proxy 210 (or another component) via RPC. In essence, this bypasses the mechanisms in the Windows Smart Card Subsystem (i.e., resource manager 170c) that would otherwise block the API calls due to application 370 being executed within a remote session. Proxy 210 can then invoke these API calls. Responses from smart card 340 can be returned in a similar manner.
Although this driver mapping technique works, it is not desirable or possible in many situations. For example, client 102 may not be compatible with the smart card driver(s) that will need to be loaded into smart card driver stack 380 in order to handle some or all of the mapped API calls. Specifically, a Linux operating system is employed on many thin clients and Windows-based smart card drivers are incompatible with Linux. Additionally, very few smart card providers have developed drivers that can be employed for driver mapping on non-Windows clients.
Further, to accommodate mismatches between the versions of the client operating system and the server operating system, current driver mapping solutions do not map all smart card APIs. For example, many smart card APIs that are available in Windows Server 2016 or Windows 10 (e.g., the SCardGetReaderDeviceInstanceId function) are not mapped and will therefore fail if invoked inside a remote session.
Finally, installing the smart card drivers on the client prevents the client from being “lightweight.” For example, many entities create computing environments in which their employees use thin or zero clients. It is oftentimes desirable to minimize the components on these clients to reduce cost. Requiring the installation of the smart card drivers in turn increases the hardware requirements for the client as well as requires additional management.